North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs
The FBI and its partners alert organizations to ongoing cyber espionage activity by North Korea's Reconnaissance General Bureau (RGB) 3rd Bureau, known as Andariel. This group targets defense, aerospace, nuclear, and engineering entities to acquire sensitive technical information for Pyongyang's military and nuclear programs. The group conducts phishing campaigns and exploits software vulnerabilities, such as Log4j, to gain initial access to networks. They utilize custom malware implants and open-source tooling for lateral movement, data exfiltration, and remote access. The group funds their operations through ransomware attacks against US healthcare entities. Critical infrastructure organizations are advised to patch vulnerabilities, protect web servers from web shells, and enhance authentication and remote access protections. The victimology includes heavy tanks, fighter aircraft, submarines, nuclear power plants, and shipbuilding technology. The group's techniques align with the MITRE ATT&CK framework, including reconnaissance, exploitation, and execution. By sharing this advisory, the authoring agencies aim to assist organizations in defending against Andariel's malicious cyber espionage activities.